InformAction Forums

Is it possible to allow all pdf's while not unblocking all other plugins (notably flash?)

andrew wrote:Is it possible to allow all pdf's while not unblocking all other plugins (notably flash?)

NoScript does not normally block pdf's per se. However, they may be delivered by JavaScripting, so you might have to temporarily allow the site delivering it, or whitelist it if it is a site you use frequently.

Flash is unrelated to pdf per se, although Adobe owns Flash and the Adobe Acrobat Reader and Pdf Editing software. Others make pdf readers for free general home use, and sell editing software for pdf's, including Foxit.

Also be aware that many pdf's themselves now can contain JavaScript, which, though usually helpful (interactive form), can be, and has been, used for malicious exploits. Therefore, ensure that it is from a trusted source, or, instead of opening it through the browser, download it and scan it with your anti-virus tool.

I prefer to disable Javascript in my pdf reader, and in fact sought out an older version, 2.0, precisely because it has no inherent support for JavaScript. Foxit used to offer this version at their site, but I just looked, and they no longer seem to. It's still at http://www.oldversion.com/Foxit-PDF-Reader.html. It opens pdf's just fine for me.

Please note that the last paragraph is a personal opinion only. Thanks.

andrew wrote:Is it possible to allow all pdf's while not unblocking all other plugins (notably flash?)

From http://noscript.net/features#contentblocking:

You can configure some exception to the Forbid Other Plugins option by setting the noscript.allowedMimeRegExp about:config preference to a pattern matching the content types you want to allow. For instance, setting it to "application/pdf" will let PDF document load automatically on every site. That said, are you sure you need to? Adobe Acrobat Reader plugin got its share of vulnerabilites so far, and after all, you can still allow individual PDF documents from untrusted sites just clicking on their placeholders.

Hope this helps. For what it's worth, I block them all and click on the placeholder for just the ones I want to view.

Alan, woops, forgot the point made the other day: that I open pdfs externally, with the "Open with" dialog box presented by the reader (which includes the "cancel" choice), rather than with the browser plug-in, which I don't use. Thanks for pointing out the difference. But we both came up with the same thing: make sure you trust the site delivering the content, on an individual basis, rather than allowing all automatically.

Thanks for the prompt responses.
alex thanks for the solution, and tom, thanks for pointing out a non-acrobat reader which may not have the same inherent vulnerabilities as adobe does.

You're welcome.
-Alan

andrew, another advantage of the Foxit reader is that it is 1/100 the size of Adobe Acrobat 9.0.
Or another way, Adobe Reader is 100x the size of Foxit.
Complexity is the enemy of security, always. The more there is, the more there is to go wrong.

Please note that enabling JavaScript support in *any* pdf reader may expose you to pdfs containing malicious javascript. That is a personal choice to make, but so far, I've had no usability problems with the JS-free version of Foxit (the older version).

Even with JS added, surely the reader that is 100x as large has many more potential points of failure. Adobe has issued many, many patches for security vulnerabilities.

You're very welcome here, too.